LastPass could have been leaking your passwords

Ormandy reported the vulnerability on Monday that affected Chrome and Firefox extensions of the popular password management tool. He warned that these add-ons could be used to steal user passwords. Later on, he said that he had identified another vulnerability that can be exploited to steal passwords for any domain.

Security researchers explained that the extension coding flaws allowed anyone to “proxy” unauthenticated messages to a LastPass browser extension. An attacker could gain access to privileged LastPass commands, including the ability to copy passwords.

In a blog post published today, LastPass explained that the issue was related to an experimental feature. While Ormandy has disclosed over three vulnerabilities, LastPass said they are "largely the same". The company has now patched the flaws and added that updates would be automatically installed for all users.

On the night of March 20th, we received a report of an issue in our Chrome 4.1.42.80 extension. We immediately investigated and released a server-side workaround within a few hours. The exploit applied to all LastPass clients – Chrome, Firefox, Edge – in which an experimental user onboarding feature was released.

Following this, Ormandy reported that the bug also affects Firefox. "This vulnerability is largely the same as the one reported the prior day, and affecting the 4.x Firefox addon," LastPass said.

We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.

LastPass said that their investigation has not indicated if any sensitive user data was lost or compromised. Hence, no master password change or a site credential password change is required, the company added.

"We have no indication that any of the reported vulnerabilities were exploited in the wild, but we’re doing a thorough review at this time to confirm,” the company wrote. “We will soon provide a more comprehensive summary of the events and what our community needs to know.”

Follow US

Subscribe

Some posts on Wccftech.com may contain affiliate links. We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com